<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px"><div id="yui_3_16_0_1_1456642997157_7191">Hi, Noel</div><div id="yui_3_16_0_1_1456642997157_7191"><br></div><div id="yui_3_16_0_1_1456642997157_7191">Or this "access denied" can come from pkcs format?</div><div id="yui_3_16_0_1_1456642997157_7191" dir="ltr">pkcs#7 is used in this case, pkcs#12 should be used?</div><div id="yui_3_16_0_1_1456642997157_7191" dir="ltr"><br></div><div id="yui_3_16_0_1_1456642997157_7191" dir="ltr">Regards,</div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Sunday, 28 February 2016, 15:20, yukou katori <k10lie.tech@yahoo.co.uk> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv2584448123"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Hi, Noel</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18752"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Thanks.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">I complied again to isolate this problem.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">The reason why no item about certificates was shown by "ipsec listall" came from that I imported incorrect certificate from FreeRadius.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Now I could get the item about CA by "ipsec install".</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18759"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">But I get the same error yet.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18763"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">What does "access denied" mean?</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">This is for TLS 1.2 but, it means:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> access_denied</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> A valid certificate was received, but when access control was</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> applied, the sender decided not to proceed with negotiation. This</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> message is always fatal.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> from rfc5246</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18773"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Access control?</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18777"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">I complied like this:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18782"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Regards,</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18786"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18789"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// debug of StrongSwan.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Sun Feb 28 10:28:54 2016 : Info: [ttls] <<< TLS 1.0 Alert [length 0002], fatal access_denied</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Sun Feb 28 10:28:54 2016 : Error: TLS Alert read:fatal:access denied</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Sun Feb 28 10:28:54 2016 : Error: TLS_accept: failed in SSLv3 read client certificate A</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Sun Feb 28 10:28:54 2016 : Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Sun Feb 28 10:28:54 2016 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Sun Feb 28 10:28:54 2016 : Debug: TLS receive handshake failed during operation</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18801"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18804"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// config of ipsec.conf</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">root@eNB-3:/usr/local/etc# cat ipsec.conf</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"># /etc/ipsec.conf - strongSwan IPsec configuration file</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18812"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">config setup</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> charondebug="tls 4, ike 4, lib 4"</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18817"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">conn %default</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> ikelifetime=60m</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> keylife=20m</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> rekeymargin=3m</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> keyingtries=1</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> keyexchange=ikev2</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18826"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">conn eap-ttls-rad1</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> left=192.168.31.10</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> leftsourceip=%config</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> leftid=test1@test</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> leftauth=eap</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> #leftauth2=md5</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> right=192.168.120.254</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> #rightcert=/usr/local/etc/ipsec.d/certs/Radius-1_Svr_cert</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> rightid=Radius-1@test</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> rightsubnet=2.0.0.1/32</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> rightauth=pubkey</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> #rightauth2=md5</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test"</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> auto=add</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18843"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18846"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// output of "ipsec listall"</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">root@eNB-3:/usr/local/etc# ipsec listall</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18853"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">List of X.509 CA Certificates:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18857"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> subject: "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@XXX.com, E=yukou.katori@XXX.com"</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> issuer: "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@XXX.com, E=yukou.katori@XXX.com"</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> serial: 91:72:72:2d:af:3f:7c:73</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> validity: not before Feb 28 01:02:24 2016, ok</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> not after Feb 27 01:02:24 2017, ok</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> pubkey: RSA 2048 bits</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> keyid: e5:a7:66:c8:00:8f:8a:3a:72:7a:b3:af:ef:6c:e5:a4:3f:bb:51:16</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> subjkey: 52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> authkey: 52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18869"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">List of registered IKE algorithms:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">(snip)</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18874"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18877"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Just for info, user configuration of FreeRadius is fine.</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// about Server's certificate</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// CN=Radius-1_svr@tes was issued by CN=Radius-1_SA</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">root@Radius-1:/usr/lib/ssl/misc# openssl x509 -text -noout -in Radius-1_Svr_cert</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Certificate:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Data:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Version: 3 (0x2)</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Serial Number: 0 (0x0)</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Signature Algorithm: sha256WithRSAEncryption</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Issuer: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@test/emailAddress=yukou.katori@test</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Validity</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Not Before: Feb 27 16:18:46 2016 GMT</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Not After : Feb 26 16:18:46 2017 GMT</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Subject: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_svr@test/emailAddress=yukou.katori@test</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Subject Public Key Info:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Public Key Algorithm: rsaEncryption</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Public-Key: (2048 bit)</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> Modulus:</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18900"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// users</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/// user configuration seems fine...</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">///</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">test1@test Cleartext-Password := "test1@test"</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18908"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18911"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">/etc/freeradius/wpa_supplicant-2.5/wpa_supplicant# ./eapol_test -c eap-ttls.conf -s testing123 -a 127.0.0.1</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Reading configuration file 'eap-ttls.conf'</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">identity - hexdump_ascii(len=15):</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> 74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d test1@test</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">password - hexdump_ascii(len=15):</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> 74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d test1@test</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">phase2 - hexdump_ascii(len=8):</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> 61 75 74 68 3d 4d 44 35 auth=MD5</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">Priority group 0</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"> id=0 ssid=''</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">(snip)</div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18926"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">MPPE keys OK: 1 mismatch: 0</div><div id="yiv2584448123yui_3_16_0_1_1456501419487_14812"></div><div class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_14812">SUCCESS</div><div class="yiv2584448123" dir="ltr" id="yiv2584448123yui_3_16_0_1_1456501419487_18930"><br clear="none" class="yiv2584448123" id="yiv2584448123yui_3_16_0_1_1456501419487_18932"></div> <div class="yiv2584448123qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv2584448123yqt3201499638" id="yiv2584448123yqt92425"><div class="yiv2584448123yahoo_quoted" style="display:block;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div dir="ltr"><font size="2" face="Arial"> On Friday, 26 February 2016, 0:38, Noel Kuntze <noel@familie-kuntze.de> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv2584448123y_msg_container">Hello Yukou,<br clear="none"><br clear="none">> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)<br clear="none">>> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'<br clear="none">What does your config look like? Obviously, the RADIUS server only authenticates itself, not the authenticator.<br clear="none"><br clear="none">>I installed certification of the server:<br clear="none">>ipsec.d/certs/<br clear="none">Where is that exactly? Are you aware that the location of ipsec.d changes, depending on the compile time<br clear="none">sysconfdir and prefix settings?<br clear="none"><br clear="none">> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.<br clear="none">Make sure you understand where charon things ipsec.d is actually.<br clear="none"><br clear="none"><br clear="none"><div class="yiv2584448123yqt1993556077" id="yiv2584448123yqtfd85685"><br clear="none">On 25.02.2016 08:51, yukou katori wrote:<br clear="none">> Hi,<br clear="none">><br clear="none">> I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5.<br clear="none">><br clear="none">> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)<br clear="none">><br clear="none">> I got the following error when the Client tries to connect.<br clear="none">> > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'<br clear="none">><br clear="none">> I installed certification of the server:<br clear="none">> ipsec.d/certs/<br clear="none">><br clear="none">> /usr/local/etc/ipsec.d# ls certs/<br clear="none">> server.pem<br clear="none">><br clear="none">> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.<br clear="none">><br clear="none">> Is it wrong about the way to store certificate?<br clear="none">> Or another reason? (e.g. plugin is not enough)<br clear="none">><br clear="none">> Regards,<br clear="none">><br clear="none">> Log:<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708 bytes)<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake (704 bytes)<br clear="none">> Feb 25 14:41:13 tester charon: 05[LIB] signature verification:<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530 byte TLS record received<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied'</div><br clear="none"><br clear="none"><br clear="none">-- <br clear="none"><br clear="none">Mit freundlichen Grüßen/Kind Regards,<br clear="none">Noel Kuntze<br clear="none"><br clear="none">GPG Key ID: 0x63EC6658<br clear="none">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<div class="yiv2584448123yqt1993556077" id="yiv2584448123yqtfd67359"><br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div> </div></div></div></div></div><br><div class="yqt3201499638" id="yqt88921">_______________________________________________<br clear="none">Users mailing list<br clear="none"><a shape="rect" ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none"><a shape="rect" href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></div><br><br></div> </div> </div> </div></div></body></html>